I won’t recommend spending too long to solve this issue. As an inside note (which would be public someday), we’re moving to deprecate Identity. I believe it would still continue to work for existing users, but you can expect us to not provide any support for that feature.
As for how to do what I suggested there, you can use Identity-triggered functions: Functions and Identity | Netlify Docs (the login event). Within the Function, you can validate any 2FA requests and decide whether or not to allow the login.